How to install Jasig CAS SSO plugged on Active Directory using SSL

This article is a tutorial on how to deploy the Jasig CAS Single-Sign-On solution, and to integrate it with Apache2 as web server, Tomcat as servlet container, Active Directory as authentication backend. Every communication link will be secured using SSL i.e. the client will communicate using https with the CAS and the CAS will communicate using ldaps with the Active Directory.

Requirements

In this article I suppose you got a running Windows Server 2008 R2 with active directory over SSL enabled. You will also need a running linux distribution with apache2 and vim to host Tomcat6, and Jasig CAS 3.4.2.

First download on your linux distribution (On my installation, I put those two tarballs in /opt/ directory):

You must then place your private key and your certificate in their appropriate folder :

# cp cert.pem /etc/ssl/certs/
# cp key.pem /etc/ssl/private/

Reload your apache :

# service apache2 reload

Jasig CAS configuration

Now let’s configure the CAS itelf. Configurations files are stored in this directory :

# cd /opt/cas-server-3.4.2/cas-server-webapp/src/main/webapp/WEB-INF

First we are going to configure the connexion to the active directory. So edit the deployerConfigContext.xml file :

# vim deployerConfigContext.xml

Supposing that your Active Directory is based on mydomain.com domain and that you want your user to identify with their Active Directory identifier (a.k.a. cn), you must add the following bean within property named authenticationHandlers of the authenticationManager bean. It will be used by the CAS to communicate with the Active Directory:

In the same file, at the end of the beans tag you must add the following bean which will tell the CAS how to contact the Active Directory. The urls property gives the AD url, and the baseEnvironmentProperties property specify whether or not to connect using SSL, and which kind of authentication to use. You have to be careful to a few things. First if you want to connect to your Active Directory using SSL, you have to specify ldaps in the url in addition to the baseEnvironmentProperties entry. Furthermore, you must have had a read-only user to your Active Directory. In my example here, the latter is lecteur connecting using lecteur as a password.

Apache2 and Tomcat integration (mod_jk)

In order to get the certificate available to java applications, running or not in Tomcat, you have to add your Active Directory certificate to the java keystore. So retrieve this certificate and copy it in /etc/ssl/certs. Let’s say it is named ad.crt:

There is a specific protocol name ajp used by apache and tomcat to communicate with each other. The following is the procedure to tell apache to use this protocol to communicate with your tomcat instance. First install mod_jk and enable it:

# aptitude install libapache2-mod-jk
# a2enmod jk

Then we are going to edit jk.load file to specify where properties are specified by adding a simple line :

At last, we are going to configure apache SSL VirtualHost. First Change the document root by commenting the following line:

DocumentRoot /var/www

And adding this one :

DocumentRoot /opt/tomcat6/webapps/

Now let’s add the tomcat part:

JkMount /*.jsp worker1
JkMount /cas/* worker1
JkExtractSSL On
# What is the indicator for SSL (default is HTTPS)
JkHTTPSIndicator HTTPS
# What is the indicator for SSL session (default is SSL_SESSION_ID)
JkSESSIONIndicator SSL_SESSION_ID
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
JkCIPHERIndicator SSL_CIPHER
# What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
JkCERTSIndicator SSL_CLIENT_CERT

And since on our web server, we only have CAS running on apache ssl, we will tweak it such as users are redirected to cas when they are pointing on root :